-
Notifications
You must be signed in to change notification settings - Fork 794
Harden sshd crypto policy #4663
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
yuumasato
merged 20 commits into
ComplianceAsCode:master
from
vojtapolasek:harden_sshd_crypto_policy
Aug 2, 2019
Merged
Changes from all commits
Commits
Show all changes
20 commits
Select commit
Hold shift + click to select a range
7744704
initial commit of harden_sshd_crypto_policy rule
vojtapolasek 41a35ff
fixed typo in rule file name
vojtapolasek c63f501
added the severity key to rule.yml
vojtapolasek 1128b1f
initial commit of harden_sshd_crypto_policy rule
vojtapolasek 0f6765a
check done
vojtapolasek a740ada
initial commit for bash remediation
vojtapolasek 5595df9
fixed a typo
vojtapolasek da9c0e3
fixed writing into file
vojtapolasek cec659f
fixed variable name
vojtapolasek 9ce84e9
added actual environment variable
vojtapolasek 61a7ea9
completed the rule.yaml file
vojtapolasek 8c4a84e
removed badly named file
vojtapolasek 38715ee
added missing space in rule.yaml
vojtapolasek f86b287
replaced duplicate reference
vojtapolasek e3dc24a
added ocil to rule.yaml
vojtapolasek 7408d49
tests created
vojtapolasek a5faa9e
changed wording and styling in the rule
vojtapolasek ba95a57
quoting variables in remediation
vojtapolasek 8544e06
fix typos
vojtapolasek 59a7be8
wording fixes
vojtapolasek File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
10 changes: 10 additions & 0 deletions
10
linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 | ||
|
|
||
|
|
||
| cp="CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" | ||
| file=/etc/crypto-policies/local.d/opensshserver-ospp.config | ||
|
|
||
| #blank line at the begining to ease later readibility | ||
| echo '' > "$file" | ||
| echo "$cp" >> "$file" | ||
| update-crypto-policies |
1 change: 1 addition & 0 deletions
1
linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/oval/shared.xml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensshserver.config", prefix_regex="^(?:.*\\n)*\s*", parameter="CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'", separator_regex="=", application="sshd") }}} |
28 changes: 28 additions & 0 deletions
28
linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Harden SSHD Crypto Policy' | ||
|
|
||
| description: |- | ||
| Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server. | ||
| The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact. | ||
| This can be done by dropping a file named <tt>opensshserver-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied. | ||
| Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt>. This rule checks if this file contains predefined <tt>CRYPTO_POLICY</tt> environment variable configured with predefined value. | ||
|
|
||
| rationale: |- | ||
| The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. | ||
|
|
||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhel8: 82176-9 | ||
|
|
||
| references: | ||
| ospp : FCS_SSHS_EXT.1 | ||
|
|
||
| ocil_clause: 'Crypto Policy for OpenSSH Server is not configured according to CC requirements' | ||
|
|
||
| ocil: |- | ||
| To verify if the OpenSSH server uses defined Crypto Policy, run: | ||
| <pre>$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1</pre> | ||
| and verify that the line matches | ||
| <pre>CRYPTO_POLICY", value="'-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'</pre> | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1226,3 +1226,5 @@ selections: | |
|
|
||
| ## Enable dnf-automatic Timer | ||
| - timer_dnf-automatic_enabled | ||
|
|
||
| - harden_sshd_crypto_policy | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,7 +9,6 @@ CCE-82172-8 | |
| CCE-82173-6 | ||
| CCE-82174-4 | ||
| CCE-82175-1 | ||
| CCE-82176-9 | ||
| CCE-82177-7 | ||
| CCE-82178-5 | ||
| CCE-82179-3 | ||
|
|
||
8 changes: 8 additions & 0 deletions
8
...roup_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct.pass.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
|
|
||
| configfile=/etc/crypto-policies/back-ends/opensshserver.config | ||
|
|
||
| echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" > "$configfile" | ||
|
|
7 changes: 7 additions & 0 deletions
7
...are/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/correct_commented.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
|
|
||
| configfile=/etc/crypto-policies/back-ends/opensshserver.config | ||
|
|
||
| echo "#CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" > "$configfile" |
8 changes: 8 additions & 0 deletions
8
...tegrity/group_crypto/rule_harden_sshd_crypto_policy/correct_followed_by_incorrect.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
|
|
||
| configfile=/etc/crypto-policies/back-ends/opensshserver.config | ||
|
|
||
| echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" > "$configfile" | ||
| echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,spamspam'" >> "$configfile" |
7 changes: 7 additions & 0 deletions
7
...p_software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_file.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
|
|
||
| configfile=/etc/crypto-policies/back-ends/opensshserver.config | ||
|
|
||
| echo "" > "$configfile" |
7 changes: 7 additions & 0 deletions
7
...software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/empty_policy.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
|
|
||
| configfile=/etc/crypto-policies/back-ends/opensshserver.config | ||
|
|
||
| echo "CRYPTO_POLICY=" > "$configfile" |
8 changes: 8 additions & 0 deletions
8
...tegrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_followed_by_correct.pass.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
|
|
||
| configfile=/etc/crypto-policies/back-ends/opensshserver.config | ||
|
|
||
| echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,bogusbogus'" > "$configfile" | ||
| echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'" >> "$configfile" |
7 changes: 7 additions & 0 deletions
7
...ware/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/incorrect_policy.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
|
|
||
| configfile=/etc/crypto-policies/back-ends/opensshserver.config | ||
|
|
||
| echo "CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp38'" > "$configfile" |
7 changes: 7 additions & 0 deletions
7
...software/group_integrity/group_crypto/rule_harden_sshd_crypto_policy/missing_file.fail.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 | ||
| # profiles = xccdf_org.ssgproject.content_profile_ospp | ||
|
|
||
| configfile=/etc/crypto-policies/back-ends/opensshserver.config | ||
|
|
||
| rm -f "$configfile" |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.